CVE-2018-19367

Name of the Vulnerable Software and Affected Versions Portainer versions prior to 1.19.3

Description The issue allows attackers to set an admin password under certain conditions. Specifically, it involves the API endpoint "/api/users/admin/check" which checks if the admin user is already created. If the admin user was not created, this endpoint returns a 404 status code, and if the admin user was already created, it returns a 204 status code. Attackers can exploit the 404 case to set an admin password.

Recommendations For Portainer versions prior to 1.19.3, as a temporary workaround, consider restricting access to the "/api/users/admin/check" API endpoint until a patch is available. Avoid using this endpoint to verify admin user creation until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.